Security updates for devuan jessie

New forum member greets the community. Very happy with devuan: running it on all seven machines at work. Finding it extremely stable even under heavily loaded production machines. Well done you all! I am struggling to understand how to apt-get security updates now that debian jessie has gone oldstable. Could I ask a possibly dumb question please.

What should I have in my sources.list to keep my devuan jessie up to date.?I am particularly concerned with the 23 CVEs in the security advisory 3926-1 (chromium) and the 10 CVEs in 3927-1 (kernel), although the debian oldstable patches are not yet available for the kernel. I only run chromium on two of the machines, chrome on a third, the rest are headless.

So: should I upgrade chromium to chrome and use the google repository, or is there an additional repository that I should include in sources.list to keep things devuan. I am not getting any updates at all at the moment.

Hope it's not too dumb a question.

Many Thanks for the hard work going on behind the scenes. It's very much appreciated.

For the stable distribution (stretch), these problems have been fixed inversion 60.0.3112.78-1~deb9u1.

For the unstable distribution (sid), these problems have been fixed inversion 60.0.3112.78-1 or earlier versions.__________________________________________________________________

So what am I doing wrong? Any help with the following four questions would be appreciated.

Q1. Why is apt not replacing chromium v57 with v60? Q2. Why are there no log entries for the failed updates, which included an aborted 'unauthenticated packages' warning which prompted the reinstallion of devuan-keyring and the subsequent apt-key update?Q3. Devuan bug report logs - #24 devuan-project: Cannot update Chromium (https://bugs.devuan.org/db/24/24.html) refers to a solution at https://dev1galaxy.org/viewtopic.php?id=444, but the link is broken. Does anyone have a working link? Q4. Why am I not getting any security updates at all: kernel and postgresql are still unpatched, but the jessie- and stretch-backports updates worked ok?

Re: Security updates for devuan jessie

I'll take the easy ones...

Q1: You won't get chromium v.60 in jessie because it's not there. 57 is in jessie and jessie-security. In fact, you won't get 60 in ascii or stretch, either. It's 59 there. Chromium-60 is in ceres/sid. I don't see any chromium in jessie-backports. (Note: I hope your "stretch-backports" is a typo. Don't use debian repos in your sources.)

Q3: The link works fine here. Maybe you tried to access it yesterday during forum maintenance. It's a thread about problems upgrading to chromium 56 or 57, back in March. Probably not relevant.

The following is for informational purposes. If you can get output that looks like this, you are in deep trouble. Don't use debian repos in your sources. (If I ever do an upgrade without fixing my sources first, I'm screwed.)

Re: Security updates for devuan jessie

Is it possible you have auto-updates/unattended-updates turned on? If you do there is nothingfor you to ever upgrade. I've only larked around jessie for the amount of time it takes to switchrepositories, update/upgrade and go upstream.Jessie was stable for debian last month, so we are a few weeks behind. Big deal, try Arch if youdon't worry about security bugs popping up all the time about what you have been running formonths if not years.

If you chose an off distribution package that does not bring any dependencies on of its own or evenworse replacing some of the existing ones, at worse case scenario it may not work. If you mixmatch dependencies then you are on your own and things may get irreversibly messed up.

Then there is the case of someone jumping up to testing or unstable, don't like how things work andreverses back to stable and expects updates. They may not come for months or even years unlessthey are a security patch that affects everyone.

Replacing common dependency packages with something newer will have the same ill effects on therest of the system whether you jail the package or not.

Re: Security updates for devuan jessie

Hi,

My devuan ascii also not getting any updates since last few days. This may be fine , but I am reallyworried about " ascii-security".According to DSA , few packages need to be upgraded for my system( firefox-esr etc.). Apart from " rsyslog " my system is also stable for now.

Re: Security updates for devuan jessie

@gnath - did you backport 'rsyslog' or replace it ?? there are two suggested replacements - I did one of them'AFAIK - there aren't really any 'updates' published for ASCII- they are still working on the alpha version.You might take the DSA info (not familiar with it) and do a manual apt-get on the specific packages.[all part of testing a new distro - please report any findings or updates] the devs might incorporatesome of the changes as needed for the ascii-alphahopefully helpful

Re: Security updates for devuan jessie

@garyz.dev1-My system was updated from devuan jessie, which was a clean install from devuan DVD installer. I only havedevuan ascii-updates & ascii-security, no backport or proposed.What is other choice? Dist-upgrade have given

Devuan community are really helpful.I know the dev's are pre-occupied and updates will be available when ready.Devuan security updates probably come from Debian Security Advisory (DSA) published on debian main page.These updates covers related CVE's for debian packages like firefox-esr, linux (kernel), chromium-browser,postgresql ( @leloft ) etc. for respective suits.I incorporated debian security repo. in my sources.list as

deb http://security.debian.org/ stretch/updates main contrib non-free

and received few updates also last night including above first two packages. Ensured that does not includedevuan packages.This may not be the right way, but for time being ascii users may like this path.

Re: Security updates for devuan jessie

Thanks for your concern. True this is not right. I have only ascii, -updates, -security & don't mix repo.I am fine with present rsyslog & waiting for update. Shall try other two for enhanced functionality.

I was tempted for the security updates only for forked firefox-esr & linux-image- as those were not available from ascii-security. Checked for any systemd intrusion other than libsystemd0 which is alreadyin my ascii. Those two pakg's are being most used. I use ascii & ceres knowing well their implications.As a general user I shall not try for the same and wait for better. Ver. no. will not be problem for forkeddebian packages. You would appreciate that in unix/linux world declared exposer has its own importanceat least for stable server/production system. Regular updates of any repo will be healthy sign for a distro.

Re: Security updates for devuan jessie

@gnath & @Ogis1975 you both are using debian-security sources. {it appears to me}I think this is the 'mixed repos' that @golinux was refering to;and that is why there is a difference in the version numbers'I do believe Devuan Jessie is the Debian-oldstable (has some systemd-stuff)Devuan ASCII is our next release that won't have systemd-stuff - ( I don't think there is a direct cross from Debian series)AFAIK Devuan relies on Debian packages/etc UNLESS they have some systemd-stuff'Devuan modified packages come first then filled in with Debian'HTH - GaryZ

Re: Security updates for devuan jessie

In fact, you won't get 60 in ascii or stretch, either. It's 59 there. Chromium-60 is in ceres/sid.

Hello. You are wrong . Chromium version in Stretch is 60.0.3112.78

I'm not entirely wrong. 59 is in stretch and 60 is in stretch-security, which I did not enable. Guess I should do that if I want to see all versions.

About mixing repos: I don't know what these other folks are running, but I always disable all the extra repos before I install anything or upgrade. They are only enabled so I can see all versions with 'apt-cache policy <package>'.

Re: Security updates for devuan jessie

I can offer half an answer to my own question (Q2, post#6):

If Amprolla is down or otherwise unavailable, apt-get appears to use the underlying debian repos in consequence. This results in a whole bunch of unauthenticated packages (because I have the devuan keyring not the debian) including packages which are normally held back. Although this constitutes using mixed repos, it appears like normal behaviour to apt-get, and so it simply gets logged as a striaghtforward upgrade. This has happened three times now: it appears that this behaviour is reproducible. I don't know enough to call it a bug, but it seems serious enough to warrant flagging up. Perhaps someone who knows more than me could confirm and escalate if necessary. For the rest of us noobs, just exercise caution if Amprolla is unavailable.

Re: Security updates for devuan jessie

This makes some sense and explains some breakage in ascii/ceres where the block on sysD dependencies may not be as effective yet. So, would a solution be to remove or mess up the Debian keyring so nothing that is not in Devuan comes in? I have noticed times with the devuan repositories either being slow or partially available (2 may work one produces errors) which questions the above. If it automatically switches to debian when devuan is not available how come the error is produced?I've had one installation left where between X and dm the input devices freeze, which never happens in debian or other installations. Unplugging and plugging them back (usb) fixes the problem till next reboot. It happened on cers then days later in ascii. I dumped the ceres and kept the ascii. This is more than a month ago. I have two other installations both running ascii with very similar setup to starting and the problem never occurred. I never touched any X configuration, it is all as it was installed and happens with all dm that I tried.Leloft's explanation is the only logical I have found, a mix-match of devuan/debian upgrades.

Re: Security updates for devuan jessie

leloft wrote:

I can offer half an answer to my own question (Q2, post#6):

If Amprolla is down or otherwise unavailable, apt-get appears to use the underlying debian repos in consequence. This results in a whole bunch of unauthenticated packages (because I have the devuan keyring not the debian) including packages which are normally held back. Although this constitutes using mixed repos, it appears like normal behaviour to apt-get, and so it simply gets logged as a striaghtforward upgrade. This has happened three times now: it appears that this behaviour is reproducible. I don't know enough to call it a bug, but it seems serious enough to warrant flagging up. Perhaps someone who knows more than me could confirm and escalate if necessary. For the rest of us noobs, just exercise caution if Amprolla is unavailable.

I checked with someone who knows more than both of us put together (CenturionDan):

if that happens then there is a debian stanza in either /etc/apt/sources or /etc/apt/sources.d/

Silly question for my own clarity: are CenturianDan's '/etc/apt/sources' and '/etc/apt/sources.d' missing from my '/etc/apt/*' or are they shorthand for '/etc/apt/sources.list' and '/etc/apt/sources.list.d'? Where else should I be looking? Sorry if i've missed the point.

Re: Security updates for devuan jessie

Don't use backports unless there is a specific reason you want a backport. Backports make sense in oldstable in debian as there are several editions. Here we only have one. I made the same mistake earlier on my devuan student session. So everything looks fine. In my opinion, as light as it may be, this jessie was too early to be called 1.0, it should have retained its beta tag till ascii gets finished/audited. Ascii seems barely started, and stretch on the other side seems a bit problematic as compared to previous stable editions. If I am not mistaken, stretch went into freeze for the longest time in debian history. Unlucky timing for devuan? Jessie 8 had more than 500 bug tickets open before stretch became stable.One systemd mess chasing another.

Re: Security updates for devuan jessie

fungus wrote:

In my opinion, as light as it may be, this jessie was too early to be called 1.0, it should have retained its beta tag till ascii gets finished/audited. Ascii seems barely started, and stretch on the other side seems a bit problematic as compared to previous stable editions. If I am not mistaken, stretch went into freeze for the longest time in debian history. Unlucky timing for devuan? Jessie 8 had more than 500 bug tickets open before stretch became stable.One systemd mess chasing another.

In my opinion, the mistake wasn't calling jessie stable, it was calling it jessie! Of course, jessie is Devuan stable, but jessie is Debian oldstable. Debian stable is stretch, but the Devuan branch that tracks stretch is not even alpha - call it testing. So people say 'jessie', or 'stable' or 'testing' or this or that, and it gets very confusing very fast. Whose stable? Which jessie? Yes, often you can tell from context, but sometimes not so much.

And yes, Debian is dealing with one systemd mess chasing another... I did some testing with Stretch this morning, and I feel like I need to take a shower :-) I don't think it's any stretch (ha ha!) to say that systemd disgusts me. I'm back to my usual dual-boot between ascii and (Devuan!) jessie...